Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 858b3133 authored by Patrick McHardy's avatar Patrick McHardy
Browse files

netfilter: nf_conntrack: split up IPCT_STATUS event 



Split up the IPCT_STATUS event into an IPCT_REPLY event, which is generated
when the IPS_SEEN_REPLY bit is set, and an IPCT_ASSURED event, which is
generated when the IPS_ASSURED bit is set.

In combination with a following patch to support selective event delivery,
this can be used for "sparse" conntrack replication: start replicating the
conntrack entry after it reached the ASSURED state and that way it's SYN-flood
resistant.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent add67461

include/net/netfilter/nf_conntrack_ecache.h

+11 −10
Original line number Diff line number Diff line
@@ -14,19 +14,20 @@ 


/* Connection tracking event types */

enum ip_conntrack_events {

	IPCT_NEW		= 0,	/* new conntrack */

	IPCT_RELATED		= 1,	/* related conntrack */

	IPCT_DESTROY		= 2,	/* destroyed conntrack */

	IPCT_STATUS		= 3,	/* status has changed */

	IPCT_PROTOINFO		= 4,	/* protocol information has changed */

	IPCT_HELPER		= 5,	/* new helper has been set */

	IPCT_MARK		= 6,	/* new mark has been set */

	IPCT_NATSEQADJ		= 7,	/* NAT is doing sequence adjustment */

	IPCT_SECMARK		= 8,	/* new security mark has been set */

	IPCT_NEW,		/* new conntrack */

	IPCT_RELATED,		/* related conntrack */

	IPCT_DESTROY,		/* destroyed conntrack */

	IPCT_REPLY,		/* connection has seen two-way traffic */

	IPCT_ASSURED,		/* connection status has changed to assured */

	IPCT_PROTOINFO,		/* protocol information has changed */

	IPCT_HELPER,		/* new helper has been set */

	IPCT_MARK,		/* new mark has been set */

	IPCT_NATSEQADJ,		/* NAT is doing sequence adjustment */

	IPCT_SECMARK,		/* new security mark has been set */

};



enum ip_conntrack_expect_events {

	IPEXP_NEW		= 0,	/* new expectation */

	IPEXP_NEW,		/* new expectation */

};



struct nf_conntrack_ecache {

net/netfilter/nf_conntrack_core.c

+1 −1
Original line number Diff line number Diff line
@@ -825,7 +825,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, 
	}



	if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))

		nf_conntrack_event_cache(IPCT_STATUS, ct);

		nf_conntrack_event_cache(IPCT_REPLY, ct);



	return ret;

}

net/netfilter/nf_conntrack_netlink.c

+4 −2
Original line number Diff line number Diff line
@@ -1371,7 +1371,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 
			else

				events = IPCT_NEW;



			nf_conntrack_eventmask_report((1 << IPCT_STATUS) |

			nf_conntrack_eventmask_report((1 << IPCT_REPLY) |

						      (1 << IPCT_ASSURED) |

						      (1 << IPCT_HELPER) |

						      (1 << IPCT_PROTOINFO) |

						      (1 << IPCT_NATSEQADJ) |
@@ -1396,7 +1397,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 
		if (err == 0) {

			nf_conntrack_get(&ct->ct_general);

			spin_unlock_bh(&nf_conntrack_lock);

			nf_conntrack_eventmask_report((1 << IPCT_STATUS) |

			nf_conntrack_eventmask_report((1 << IPCT_REPLY) |

						      (1 << IPCT_ASSURED) |

						      (1 << IPCT_HELPER) |

						      (1 << IPCT_PROTOINFO) |

						      (1 << IPCT_NATSEQADJ) |

net/netfilter/nf_conntrack_proto_gre.c

+1 −1
Original line number Diff line number Diff line
@@ -241,7 +241,7 @@ static int gre_packet(struct nf_conn *ct, 
				   ct->proto.gre.stream_timeout);

		/* Also, more likely to be important, and not a probe. */

		set_bit(IPS_ASSURED_BIT, &ct->status);

		nf_conntrack_event_cache(IPCT_STATUS, ct);

		nf_conntrack_event_cache(IPCT_ASSURED, ct);

	} else

		nf_ct_refresh_acct(ct, ctinfo, skb,

				   ct->proto.gre.timeout);

net/netfilter/nf_conntrack_proto_sctp.c

+1 −1
Original line number Diff line number Diff line
@@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *ct, 
	    new_state == SCTP_CONNTRACK_ESTABLISHED) {

		pr_debug("Setting assured bit\n");

		set_bit(IPS_ASSURED_BIT, &ct->status);

		nf_conntrack_event_cache(IPCT_STATUS, ct);

		nf_conntrack_event_cache(IPCT_ASSURED, ct);

	}



	return NF_ACCEPT;